<html>
<head><meta charset="utf-8"><title>another CVE in old stdlib · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html">another CVE in old stdlib</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="159289286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/another%20CVE%20in%20old%20stdlib/near/159289286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html#159289286">(Feb 24 2019 at 20:00)</a>:</h4>
<p><a href="https://github.com/rust-lang/rust/issues/53566" target="_blank" title="https://github.com/rust-lang/rust/issues/53566">https://github.com/rust-lang/rust/issues/53566</a> - this is yet another case of a standard library bug that should have gotten a CVE, but didn't. I've notified the security team and they replied (again) that they don't support old Rusts, and do not intend to do anything about it. So I've applied for a CVE myself.<br>
It affects 1.18.0 onwards and was fixed just recently, in 1.30.0. The same attack vector causes a stack overflow on 1.17.0.</p>



<a name="159289344"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/another%20CVE%20in%20old%20stdlib/near/159289344" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html#159289344">(Feb 24 2019 at 20:02)</a>:</h4>
<p>Seems like a good arguments for getting these into rustsec. Where did we land on that <span class="user-mention" data-user-id="132721">@Tony Arcieri</span> ?</p>



<a name="159298693"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/another%20CVE%20in%20old%20stdlib/near/159298693" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html#159298693">(Feb 24 2019 at 21:57)</a>:</h4>
<p>derp guess I haven't been keeping up here</p>



<a name="159298705"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/another%20CVE%20in%20old%20stdlib/near/159298705" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html#159298705">(Feb 24 2019 at 21:57)</a>:</h4>
<p>uhh I think we're mostly at consensus that it's a reasonable enough idea, and you cataloguing the known ones in a GH issue and... that's it</p>



<a name="159298755"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/another%20CVE%20in%20old%20stdlib/near/159298755" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html#159298755">(Feb 24 2019 at 21:58)</a>:</h4>
<p>next steps are how to represent them, whether we should distinguish e.g. std vs rustc vs (core? alloc?)</p>



<a name="159298759"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/another%20CVE%20in%20old%20stdlib/near/159298759" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html#159298759">(Feb 24 2019 at 21:58)</a>:</h4>
<p>and what the schema should be</p>



<a name="159299305"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/another%20CVE%20in%20old%20stdlib/near/159299305" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/another.20CVE.20in.20old.20stdlib.html#159299305">(Feb 24 2019 at 22:13)</a>:</h4>
<p>Fortunately a binary scanner is dead simple because rustc already encodes its version and LLVM version in everything it builds. UNfortunately, there is no way to tell if a particular function is used or not in an optimized binary, so we'll be showing false positives most of the time, by design. Also, linux distros cherry-pick fixes to earlier versions sometimes, further confusing everything.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>